Sindre, G., Opdahl, A. L., Eliciting security requirements with misuse cases, RE Journal, Volume 10 (2005) 34-44
Summary:
Sindre and Opdahl develop an extended notion of use cases to express negative use cases, which are called misuse cases. The major difference is that a use case achieves something of value for the system owner, whereas the misuse cases are harmful. This approach provides the analysts with modeling constructs for modeling and analyzing malicious behavior which is modeled by misuse cases that threaten use cases; and countermeasures for mitigating the threats which are expressed as security use cases that mitigate misuse cases. Therefore, include and extend relationships are extended, and prevent relationship is added to the misuse case models to relate security use cases to misuse cases. The basic concepts of the framework and their relation to the UML metal model are provided in a meta model.
The process of eliciting security requirements by misuse cases consists of 5 steps: it starts with identifying critical assets. Then security requirements for each asset are defined. In the third step, threats to each security requirements are defined and expressed as misuse cases. In the fourth step, risks of threats are identified and analyzed, and finally, security requirements for the threats are defined as either security use cases or in the mitigation field of misuse case description. Security requirements are either defined as security use cases or as mitigation in misuse case description.
Why it is good:
Looking at system from a misuser perspective increases the chance of discovering threats that would otherwise have been ignored. The authors assert that the visualization of links between use cases and misuse cases help organize the requirements specification and tracing requirements to threats that motivated them.
Problems and limitations:
This security requirements elicitation process does not consider why and how security goals are defined without analyzing what may threaten the assets. In addition, the targets of threats are not only security goals, and threats may target an asset or service rather than a security goal. The notion of misuse case cannot express due to what kind of vulnerability a misuse threatens a use case, why a misuser attacks the system, and what is the impact of a security use case on other use cases.